The Future of Anti-Virus

The problem with your typical signature-based anti-virus software is that it relies on virus signature definitions to do its detection. It works sort of like a vaccine. You get vaccinated against the latest threats, which should protect you should you happen to run into them, and your “vaccinations” come in the form of downloadable updates to your virus signature database. Unfortunately, hundreds of new viruses are released every single day–that’s just way too much for the “vaccination makers” to keep up with. By the time you download the latest virus signatures, they’re already out of date and you’re still left unprotected against the latest threats. That’s where sandboxing comes in.

If signature-based anti-virus is like getting vaccinations everyday, sandboxing (also known as “Host Intrusion Prevention Systems” or “HIPS”) is like wearing a hazmat suit whenever you venture into a hazardous environment. So what’s a hazardous environment, and how does this hazmat suit work, exactly? First, lets separate computer programs into two categories: “Safe”, and “Potentially Unsafe”.

Safe software includes things like your word processor, media player and image editor. They typically run completely on your desktop and don’t really connect to the Internet in any significant way. You certainly can’t download and run files through them from anonymous sources, so there’s no way to accidentally download a virus through them.

Potentially unsafe software includes your web browser, email client, FTP client, P2P sharing software, instant messengers and more. This type of software is typically always connected to the Internet and can download data from anonymous, potentially unsafe sources. If it’s possible to get a virus through it, we categorize it as potentially unsafe. This is the hazardous environment you shouldn’t be walking through with just an outdated vaccine!

What sandboxing software does is section off potentially unsafe software from the rest of your system. So, if you do happen to click that link to ww2.kut3puppeez.net.cn or if you do happen to open that scary_video.mov.EXE attachment your sister emailed you, the virus inside will still run, but it won’t really be able to do anything. It won’t be able to patch your system files. It won’t be able to run in the background all the time. It will just sit there and wonder “where’d the rest of the computer go?”.

Actually, since the virus won’t know what to do, it will most likely just crash. Either way, after a restart, even the most dangerous and sophisticated virus will be gone without ever having been given the chance to do any damage. Poor virus.

There are two ways sandboxing works. One is through virtualization, the other is through strict access policies. A discussion on how these work is a little outside the scope of this article, but both are very effective and yield the same results–the ability to isolate potentially unsafe programs and anything downloaded through them from the rest of your system.

The only downside to sandboxing comes when you download a program and actually do want to give it access to the rest of the system. Doing this is usually pretty simple, though, and well worth the effort. All you do is right-click the downloaded file and select the option to mark it as trusted. That’s it! The file is now out of the isolated sandbox and allowed to run and modify your system like normal.

Combined with a traditional signature-based anti-virus, such as Microsoft Security Essentials, a sandbox should be all you need to stay protected while traversing the hazardous environment that is the Internet. To get infected with a virus you would have to intentionally mark it as trusted and the virus would still have to avoid your signature-based anti-virus. In other words, you’d have to unzip your hazmat suit for just a second and not be vaccinated against whatever you intentionally let in.

If you want a good, free sandboxing solution, check out GeSWall from GentleSecurity. If you don’t mind paying a little, SoftSphere Technologies DefenseWall has a few extra bells and whistles. And if you’re running a 64-bit system, unfortunately you’re only option at the moment is the beta version of Sandboxie. Not that Sandboxie is bad, but hopefully we see official support for 64-bit systems from everyone soon. Stay safe out there!

Leave a Reply